Export limit exceeded: 11875 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (11875 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-10536 2026-04-15 4.3 Medium
The FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_block_shortcode_export() function in all versions up to, and including, 6.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export shortcodes.
CVE-2024-10866 2026-04-15 5.3 Medium
The Export Import Menus plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the dsp_export_import_menus() function in all versions up to, and including, 1.9.1. This makes it possible for unauthenticated attackers to export menu data and settings.
CVE-2025-47942 1 Openedx 1 Edx-platform 2026-04-15 5.3 Medium
The Open edX Platform is a learning management platform. Prior to commit 6740e75c0fdc7ba095baf88e9f5e4f3e15cfd8ba, edxapp has no built-in protection against downloading the python_lib.zip asset from courses, which is a concern since it often contains custom grading code or answers to course problems. This potentially affects any course using custom Python-graded problem blocks. The openedx/configuration repo has had a patch since 2016 in the form of an nginx rule, but this was only intended as a temporary mitigation. As the configuration repo has been deprecated and we have not been able to locate any similar protection in Tutor, it is likely that most deployments have no protection against python_lib.zip being downloaded. The recommended mitigation, implemented in commit 6740e75c0fdc7ba095baf88e9f5e4f3e15cfd8ba, restricts python_lib.zip downloads to just the course team and site staff/superusers.
CVE-2024-12176 2026-04-15 5.3 Medium
The WordLift – AI powered SEO – Schema plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'wl_config_plugin' AJAX action in all versions up to, and including, 3.54.2. This makes it possible for unauthenticated attackers to update the plugin's settings.
CVE-2024-12202 1 Wordpress 1 Wordpress 2026-04-15 8.8 High
The Croma Music plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'ironMusic_ajax' function in all versions up to, and including, 3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
CVE-2024-12711 2 Wordpress, Wpchill 2 Wordpress, Rsvp And Event Management 2026-04-15 5.3 Medium
The RSVP and Event Management plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX functions like bulk_delete_attendees() and bulk_delete_questions() in all versions up to, and including, 2.7.13. This makes it possible for unauthenticated attackers to delete questions and attendees and for authenticated users to update question menu orders.
CVE-2025-46569 2026-04-15 8.1 High
Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a single data document reference is constructed from the requested path. This query is then used for policy evaluation. A HTTP request path can be crafted in a way that injects Rego code into the constructed query. The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack. This issue has been patched in version 1.4.0. A workaround involves having network access to OPA’s RESTful APIs being limited to `localhost` and/or trusted networks, unless necessary for production reasons.
CVE-2024-12781 2026-04-15 4.3 Medium
The Aurum - WordPress & WooCommerce Shopping Theme theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'lab_1cl_demo_install_package_content' function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite content with imported demo content.
CVE-2025-27435 2026-04-15 4.2 Medium
Under specific conditions and prerequisites, an unauthenticated attacker could access customer coupon codes exposed in the URL parameters of the Coupon Campaign URL in SAP Commerce. This could allow the attacker to use the disclosed coupon code, hence posing a low impact on confidentiality and integrity of the application.
CVE-2025-31481 1 Api-platform 1 Core 2026-04-15 7.5 High
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed in 4.0.22 and 3.4.17.
CVE-2025-27437 2026-04-15 4.3 Medium
A Missing Authorization Check vulnerability exists in the Virus Scanner Interface of SAP NetWeaver Application Server ABAP. Because of this, an attacker authenticated as a non-administrative user can initiate a transaction, allowing them to access but not modify non-sensitive data without further authorization and with no effect on availability.
CVE-2025-8322 1 Ventem 1 E-school 2026-04-15 8.8 High
The e-School from Ventem has a Missing Authorization vulnerability, allowing remote attackers with regular privilege to access administrator functions, including creating, modifying, and deleting accounts. They can even escalate any account to system administrator privilege.
CVE-2025-42955 1 Sap 1 Cloud Connector 2026-04-15 3.5 Low
Due to a missing authorization check in SAP Cloud Connector, an attacker on an adjacent network with low privileges could send a crafted request to the endpoint responsible for testing LDAP connections. A successful exploit could lead to reduced performance, hence a low-impact on availability of the service. Confidentiality and integrity of the data are not affected.
CVE-2025-42953 1 Sap 1 Netweaver 2026-04-15 8.1 High
SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system.
CVE-2024-12253 2026-04-15 5.4 Medium
The Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'save_settings', 'export_csv', and 'simpleecommcart-action' actions in all versions up to, and including, 3.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the plugins settings and retrieve order and log data (which is also accessible to unauthenticated users).
CVE-2025-42952 2026-04-15 7.7 High
SAP Business Warehouse and SAP Plug-In Basis allows an authenticated attacker to add fields to arbitrary SAP database tables and/or structures, potentially rendering the system unusable. On successful exploitation, an attacker can render the system unusable by triggering short dumps on login. This could cause a high impact on availability. Data confidentiality and integrity are not affected. No data can be read, changed or deleted.
CVE-2025-42949 1 Sap 1 Abap Platform 2026-04-15 4.9 Medium
Due to a missing authorization check in the ABAP Platform, an authenticated user with elevated privileges could bypass authorization restrictions for common transactions by leveraging the SQL Console. This could enable an attacker to access and read the contents of database tables without proper authorization, leading to a significant compromise of data confidentiality. However, the integrity and availability of the system remain unaffected.
CVE-2025-3260 1 Grafana 1 Grafana 2026-04-15 8.3 High
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
CVE-2025-48757 2026-04-15 9.3 Critical
An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites. NOTE: this is disputed by the Supplier because each individual customer of the Lovable platform accepts a responsibility over protecting the data of their application.
CVE-2022-41995 2026-04-15 4.3 Medium
Missing Authorization vulnerability in Galleryape Gallery Images Ape allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gallery Images Ape: from n/a through 2.2.8.